lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <237868876.20090518173723@Zoller.lu>
Date: Mon, 18 May 2009 17:37:23 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	<info@...cl.etat.lu>, <vuln@...unia.com>, <cert@...t.org>,
	<nvd@...t.gov>, <cve@...re.org>
Subject: [TZO-22-2009] Bitdefender generic evasion of heuristics (for PDF)

________________________________________________________________________

                 From the low-hanging-fruit-department
             Bitdefender generic evasion of heuristics (for PDF)
________________________________________________________________________

CHEAP Plug :
************************************************************************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************************************************************************

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics)
WWW         : http://blog.zoller.lu/2009/04/advisory-bitdefender-generic-evasion.html
Vendor      : http://www.bitdefender.com
Status      : Patched (with sig update after 13.05.2009)
CVE         : none provided
Credit      : none 
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 5 days

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Bitdefender Antivirus 2009 
- Bitdefender Internet Security 2009 
- Bitdefender Total Security 2009 
- Bitdefender Small Office Security 
- Bitdefender for Fileservers 
- Bitdefender for Samba
- Bitdefender for Sharepoint 
- Bitdefender Security for Exchange 
- Bitdefender Security for Mailservers 
- Bitdefender for ISA Servers 
- Bitdefender Client security 

Bundles:
- BitDefender Business Security 
- Bitdefender Antivirus for Unices 
- Bitdefender Corporate Security 
- Bitdefender SBS Security 

I. Background
~~~~~~~~~~~~~
Quote: "BitDefenderā„¢ provides security solutions to satisfy the protection requirements 
of today's computing environment, delivering effective threat management for 
over 41 million home and corporate users in more than 100 countries. BitDefender, 
a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in 
Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and 
Fort Lauderdale (FL), USA."


II. Description
~~~~~~~~~~~~~~~
The heuristics can be bypassed by a special formatted PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a 
bypass that relies on archive structures but relies on evading certain 
code paths in the AV engine "through various means".


III. Impact
~~~~~~~~~~~
To know more about the impact and type of "evasion", I updated the 
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Interestingly this opens the possibility to evade at scan time and
run-time.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
08/05/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
                         
13/05/2009 : Bitdefender notifies my that the patch was deployed.


[1]
Bitdefender is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost reports.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ